Cisco Catalyst 6500 Series Configuration Manual page 168

Using Dynamic NAT and PAT
See the following description about options for this command:
–
–
–
–
–
–
–
Regular NAT:
•
FWSM/contexta(config)# nat ( local_interface ) nat_id local_ip [ mask [dns] [outside |
[norandomseq] [[tcp] tcp_max_conns [ emb_limit ]] [udp udp_max_conns ]]]
The nat_id is an integer between 1 and 2147483647. The NAT ID must match a global statement
NAT ID. See the
information about how NAT IDs are used. 0 is reserved for identity NAT. See the
Identity NAT" section on page 9-29
See the policy NAT command above for information about other options.
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
9-24
access-list acl_name—Identify the local addresses and destination addresses using an extended
ACL. Create the ACL using the access-list command (see the
Control List" section on page
entries (ACEs). You can optionally specify the local and destination ports in the ACL using the
eq operator.
nat_id—An integer between 1 and 65535. The NAT ID must match a global statement NAT ID.
See the "Dynamic NAT and PAT Implementation" section on page 9-17
about how NAT IDs are used. 0 is reserved for NAT exemption. (See the
Exemption" section on page 9-31
dns—If your NAT statement includes the address of a host that has an entry in a DNS server,
and the DNS server is on a different interface from a client, then the client and the DNS server
need different addresses for the host; one needs the global address and one needs the local
address. This option rewrites the address in the DNS reply to the client. The translated host
needs to be on the same interface as either the client or the DNS server. Typically, hosts that
need to allow access from other interfaces use a static translation, so this option is more likely
to be used with the static command. (See the
information.)
outside—If this interface is on a lower security level than the interface you identify by the
matching global statement, then you must enter outside to identify the NAT instance as
outside NAT. (See the "Outside NAT" section on page 9-10
norandomseq—No TCP Initial Sequence Number (ISN) randomization. Only use this option
if another in-line firewall is also randomizing sequence numbers and the result is scrambling the
data. See the "Security Level Overview" section on page 6-6
sequence numbers.
tcp tcp_max_conns, udp udp_max_conns—The maximum number of simultaneous TCP and/or
UDP connections for the entire subnet up to 65,536. The default is 0 for both protocols, which
means the maximum connections.
emb_limit—The maximum number of embryonic connections per host up to 65,536. An
embryonic connection is a connection request that has not finished the necessary handshake
between source and destination. This limit enables the TCP Intercept feature. (See the
Protection Features" section on page 1-6
the maximum embryonic connections. You must enter the tcp tcp_max_conns before you enter
the emb_limit. If you want to use the default value for tcp_max_conns, but change the
emb_limit, then enter 0 for tcp_max_conns. Not supported for outside NAT.
"Dynamic NAT and PAT Implementation" section on page 9-17
Chapter 9
10-13). This ACL should include only permit access control
for more information about NAT exemption.)
"DNS and NAT" section on page 9-13
for more information.) The default is 0, which means
for more information about identity NAT.
Configuring Network Address Translation
"Adding an Extended Access
for more information
"Configuring NAT
for more
for more information.)
for information about TCP
for more
"Configuring
OL-6392-01
"Other